ifupdown2: wireguard + routing tables support

roles/ifupdown2/defaults/main.yml

@@ -1,3 +1,5 @@
 ---
 ifupdown2__interfaces: {}
+ifupdown2__wireguard: {}
+ifupdown2__wireguard_keepalive: 0
 ...

roles/ifupdown2/tasks/main.yml

@@ -1,4 +1,33 @@
 ---
+- name: Ensure that interfaces names don't overlap
+  assert:
+    that: "not (ifupdown2__interfaces.keys()
+                | intersect(ifupdown2__wireguard.keys()))"
+    msg: "Static and wireguard interfaces names must not overlap"
+
+- name: Install wireguard
+  apt:
+    name: wireguard
+  when: ifupdown2__wireguard
+
+- name: Configure wireguard
+  template:
+    src: wireguard.conf.j2
+    dest: "/etc/wireguard/{{ item.key }}.conf"
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=
+  #no_log: true
+  loop: "{{ ifupdown2__wireguard | dict2items }}"
+  register: results_wireguard
+
+- name: Synchronise wireguard config if necessary
+  command: "wg syncconf {{ item.0.key }} /etc/wireguard/{{ item.0.key }}.conf"
+  when: "item.0.key in ansible_interfaces and item.1.changed"
+  loop: "{{ ifupdown2__wireguard
+            | dict2items
+            | zip(results_wireguard.results) }}"
+
 - name: Gather package facts
   package_facts:
     manager: apt

roles/ifupdown2/templates/interfaces.j2

@@ -1,14 +1,32 @@
 {{ ansible_managed | comment }}
 
+{% macro iface_common(iface) %}
+{% for address in iface.addresses | default([]) %}
+address {{ address | ipaddr }}
+{% endfor %}
+{% for gateway in iface.gateways | default([]) %}
+gateway {{ gateway | ipaddr }}
+{% endfor %}
+{% if iface.forward | default(false) %}
+ip-forward yes
+ip6-forward yes
+{% endif %}
+{% if iface.goto_table is defined %}
+pre-up ip rule add iif $IFACE table {{ iface.goto_table }}
+pre-up ip rule add iif $IFACE blackhole
+post-down ip rule del iif $IFACE table {{ iface.goto_table }}
+post-down ip rule del iif $IFACE blackhole
+{% endif %}
+{% if iface.ipv6_addrgen is defined %}
+ipv6-addrgen {{ iface.ipv6_addrgen
+	        | ternary("yes", "no") }}
+{% endif %}
+{% endmacro %}
+
 {% for name, iface in ifupdown2__interfaces.items() %}
 auto {{ name }}
 iface {{ name }}
-{% for address in iface.addresses | default([]) %}
+    {{ iface_common(iface) | indent(4) }}
-    address {{ address | ipaddr }}
-{% endfor %}
-{% for gateway in iface.gateways | default([]) %}
-    gateway {{ gateway | ipaddr }}
-{% endfor %}
 {% if iface.bridge_ports is defined %}
     bridge-ports {{ iface.bridge_ports | join(" ") }}
 {% endif %}
@@ -29,13 +47,17 @@ iface {{ name }}
     bridge-pvid 0
     post-up bridge vlan del dev {{ name }} vid 1 self
 {% endif %}
-{% if iface.forward | default(false) %}
+
-    ip-forward yes
+{% endfor %}
-    ip6-forward yes
+
-{% endif %}
+{% for name, iface in ifupdown2__wireguard.items() %}
-{% if iface.ipv6_addrgen is defined %}
+auto {{ name }}
-    ipv6-addrgen {{ iface.ipv6_addrgen
+iface {{ name }}
-                    | ternary("yes", "no") }}
+    link-type wireguard
-{% endif %}
+    {{ iface_common(iface) | indent(4) }}
+    pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf
+{% for address in iface.peer_allowed_addresses | default([]) %}
+    post-up ip route add {{ address }} dev $IFACE
+{% endfor %}
 
 {% endfor %}

roles/ifupdown2/templates/wireguard.conf.j2

@@ -0,0 +1,16 @@
+{{ ansible_managed | comment }}
+
+[Interface]
+PrivateKey = {{ item.value.private_key }}
+{% if "listen_port" in item.value %}
+ListenPort = {{ item.value.listen_port }}
+{% endif %}
+
+[Peer]
+PublicKey = {{ item.value.peer_public_key }}
+AllowedIPs = {{ item.value.peer_allowed_addresses | join(", ") }}
+PersistentKeepalive = {{ item.value.peer_keepalive
+                         | default(ifupdown2__wireguard_keepalive) }}
+{% if "peer_endpoint" in item.value %}
+Endpoint = {{ item.value.peer_endpoint }}
+{% endif %}